Confessions Of A Bug Bounty Triager

so folks confessing a book battery idea my name is Glenn I'm a senior cyber security specialist at SBG try saying that after a few beers I'm an old-school hacker so this is original 2600 teach at least probably older than some of you in the room hi Jay I'm about to triage yeah that's one of the more interesting bits of the job that's a bit I talk about I wasn't going to explain what about the rest of my job was going to quick losses even through all the some of the other bits I do well actually it does fit lovely with the chocolate sauce you did before in so much a part of my job is

acting there's a bit of an interface between security and people like our development teams and infrastructure teams so that they actually get security so we can actually fix things earlier on in the process so we're not just finding out about problems and the actual time of them stuff going live which is exactly what they were saying that we should be doing so it's nice to not supposed to go there I have something but realistically my actual main sort of facet at work is I'm just the old guy yells at cloud Brit cloud on obstacle yell as your head of stcp I hit them all equally give me ten give me number two I was in violence any day so before we get

started I humbly remember that the original disclaimer for South Park I kind of need something similar for this I've been working on a book back program now for a good couple years however that is only a small part of my knowledge on this I spend a lot of time talking to all the triage years with a lot of time talking to pen testers bill Conti bounces the two or three of you in the room that were been tested to death by me asking questions trying to actually work out what makes you tick what you want up a program to make our program better I also also cause a lot of triage is one of the things I've not managed to get a

lot of feedback from his triage is at work for planted platforms themselves I tend to be talking the triage is that actually three hours straight for the companies so with all that take onboard that everything I'm about to tell you is a very limited view point although opinions made by perfectly valid we're aware some good reasons that our scheme is atypical in some ways so what works well for us may not have worked quite so well for others and vice-versa so basically take it all with a pinch of salt Oh additionally yeah don't think that any of this is my original work and I actually came into SPG at just the right time the book back scheme was already

launched somebody did a lot of the work and I'm just riding on that coattails now so so I wrote the the abstract for this literally after two hours sleep having just taken my OS CP so I had to actually contact mark and Chloe and ask them what had actually said I was doing it on and I realized that in the abstract I'd written that was gonna be something for both Blue Team and Red Team four vendors looking to do bug bounties and talk about hackers which realized afterwards was a mistake book so what we've got so at this some slides wasn't something a bit red and blue I am on cap America works well for me let my

wife proofread my slides and she went yeah it's alright I get the whole Red Team Blue team same it's not very you is it so very major one I thought you did boom sort of more Elmo and Cookie Monster it's like that is genius now my job is so much easier when I think of sort of red the red team is team Elmo and blue team's team Cookie Monster that's just my favorite InfoSec thing ever well what is a genius at times so why do we do it why do we get into this whole bunch scheme and ask you before touched on the whole responsible disclosure bit vulnerabilities happened they're out there companies like to know about them

ideals before everybody else does so we'll start off on the red team why did a book battery people want to do it well according to the 2080 was it hacker important hacker one top five reasons to learn tips and techniques fair enough to be challenged definitely very challenging to have fun Karl I'll give you that I've start playing at that side of the equation are stuffing is definitely fun to make money certainly I mean it's very good rated and better to catch for yourself and career advancement interesting in a start haven't gotten those are only three percent of people said that one of their major reasons was to show off that's a lie over everybody

I know myself included loose to show off about you may have a primary driver but back in school we want to talk about it so from the blue side of things from seeing Cookie Monster why do we do it to cost-effectively find vulnerabilities that would otherwise have been missed that is our primary driver we are not interested in finding out who the best compacted with who the best plans testers are we don't really care that much about the renter hahaha Hyundai you absolutely hero that is utterly our main drivers is to find those vulnerabilities and under the cost effective I'll talk a bit later about why and when both partners are cost effective in some

cases to increase customer or board confidence your product it's great to say we are secure if you say we are secure and we're putting our money where our mouth is yeah you'd only went from that to a public disclosure again you very just at the end of your talk or energy suckers talks as they just mention the fact that public schemes are kind of an extension of responsibility so you've got OPEC scheme responsible disclosure it kinda has to be an underpinning of that that they they do that and finally no we don't use bull pouty schemes as a way of paying ransoms if you don't know what that refers to Bravo Reid so as the blue team was a

fear that the whole point this talk will start to give you a view from our side of the fence because triage just don't talk about it very much so what do we care about and we do care we do genuinely care we care about how quickly a vulnerability to our so we can get on to the next task we are busy people we goodbye triage is a bit like doing customer support which it's it's fun it's a lot more interest is a lot more challenging but realistically we'll stack of reports to get through we don't want to spend they eat on it we just want to get on and do the next thing and we care about what the actual risk to

the business of the vulnerability is a large part of our role is actually assessing risk in fact pretty much all we do in one method is referencing risk in one form or another so it's looking at your roommate trying to work out just what the actual threat from that is and there isn't necessarily always is that you know we do get reports so that's interesting that's definitely wrong o coders definitely made a mistake there however the risks their business is pretty negligible and how long it's going to take the Deaf to resolve the issue like yourselves you we want to see it fixed and you know we don't want to see a hanging around fraid

so we we kind of interested in what that time to resolution is going to be and we're also interested why there isn't a better way of handling to you because duplicates are as a mooing for our side of the fence as they are for you we don't like him anyway and I've yet to find somebody in the industry that's found a good way of dealing with them and we do genuinely like to keep Packers happy we're kind of on your side we deal here our habit however keeping our bosses happy is much more important and bear that in mind that ultimately somebody's paid our check and we're not going to throw ourselves under the bus -

and to keep you happy we are there on behalf of the company at the end of the day so the stuff we don't care about understands a lot of this we don't care about who you are so seeing things that you have and that big names are favored in this industry and whilst there is an element talk to you to get invites on to some programs that's true but once you're on a program we as tree huggers we don't care who you are we don't care if you're a big name or a first-time reporter be do we rarely actually bother looking at that we don't care about the amount about your kudos or rep or whatever you're getting out of

this it's irrelevant to us of all the people I've talked to nobody is getting pressured to actually minimize their bounty payments that pressure to be fair to be consistent to make sure that actually nobody can come back and say afterwards well that you know why did he get accident he got one I've never found anyone actually pressured to keep the money down despite what some people think we don't care about the history of the vulnerability class I do look at when people send in history lessons explaining to me just by cross-site scripting is such a bad thing dude he'll with dozens and dozens of these trust me I had no and we don't Claire I don't

really care how clever your hack is or how hard it was to find spit on ferati we do appreciate a good clever hack what realistically fools get the job done it's not a fact that we we don't really take into account how much effort you put into it we take into account what the actual risk to the business is if you've stumbled across something because you literally type out something versus you spend the months hammering at something we're going to just evaluate that look at the relative risks and it may be the thing you've stumbled across because you type on something is actually riskier that's what's gonna get your bigger pain so the basis of this

talk is kind of questions that I consult about come story but I've been asked over time that I've kind of Roland that I want to share with you came from a conversation with Sean who may or may not be in the room with D c151 where I got talking to him about what I didn't realize that actually what pack hunters don't know about our side job very much at all so questionnaire gaps quite a lot why doesn't my report get the attention it deserves you dropped something he didn't you've given this a big vulnerability why you know why are we not running around like my hair's on fire good whole bunch of reasons for it and

first one and starting off with a quote from Cain reservist if you're not aware of Katie murderous she's kind of a queen book bounce game she was responsible for get in Facebook's frozen off the ground forgetting to the DoD and the Air Force kidnap problems off the ground she kind of wrote the book on on bounty hunting and she's now very forefront to ensuring that only the right people to start them book count schemes I'm putting up there not right for everything and one of our ports reasons people are very concerned about vulnerability disclosure but most organizations aren't ready for them absolutely and it's all to do with flow control flow control is your ability as

an organization to take new reports in to look at them to evaluate them to triage them to get them fixed to get that deployment why I don't go around that cycle if you can't do that fast enough it causes your headaches is quite often with other organizations as I again this is welcome back to talking to all the triage is can I actually think we do pretty well if that flow control is broken if you're in your flow of data in his fasting your they are out everything gets stuck in the middle and your your book just gets look there because it's just in an ever growing pile of problems so looking for some of the training straight this with

imagine that your lovely crafted PLC that you've just given me for your awesome vulnerability is that amazing looking pancake over there if your own flow control is broken in your organization or back triage this is what happens when I hope this verse I love this so I took a play No can you play come play take pause

[Music]

when the pipe life doesn't work that exploding pink bunny is a dev team and I've talked to people that have had them have to if you can't get that flow through then your pancake is just going to be lost in a huge pile of all the palookas pancakes so that's one reason that your thing that your report may not get the attention it deserves second one ease of triage thankfully because of our program I talked a little bit about our Provost if it later on bought our program we get really good signals those we don't get a lot of rules reports but so people all the tree huggers they get some absolute dross so what we want is something like that with

general ten generalist technical people we generally get what we're looking at give me a pill come and give me absolutely have some time no I hope to ask do we laughing yeah don't replicate my second beautiful proof is proof of concept that's what I want what we tend to get is that somebody spending sixteen pages explaining where CSRF is a bad thing so just so obviously people cook up famous series of books on two books now in the industry plc or gtfo applies here PLC or gtfo you feel free to give me all the information in the world that you want but if you can get me a nice sort simple command or something beginning to replicate I'm gonna look at

that first and I said before this is a lot like custom support if you can pick and choose reports you do you're gonna choose the easy ones you can choose the ones you've already got a nice simple pot for a lot one way you have to read an essay before you get going three like a visibility good raps nobody for SVG in here that's on par bad to say over other than them we've got some of our brass they didn't see this again this is something that we've got really right but I've seen them really badly so I've were just walking to this before the path from so report coming in to fix is this in a small company literally

wander over tell dev is wrong dev course which any recognizable form by the way hey fantastic living together so whatever er I've did not secure right in reality in big organizations what can sometimes happen he says talking to get the slide back speaking legal process again is that you write your little report you do your little Homer Simpson bit that I'm desperately to get to you've send off your report goes off into some huge corporate structure never to be seen again I'm going to be eaten by beavers so sometimes the reason you're triage it isn't talking to you isn't giving you updates it's because they've sent their report often to the system of tubes and

they're just not hearing back on it fraud ization privatization is harder I spot my job is prioritization and some of the guys down here lost part of my job and I'm getting at to people work on the right things he's tough so you've dropped this awesome thing oh you think you've found something really serious that we you think this is what's happening they're running around trying to put out the fire this is you know really care about my thing whereas in reality what's actually happening I think you put guys probably know what's coming you know you'll see you've reported your one thing you're only aware of your one thing you've no idea whether we're dealing with one thing

like that or lenders also prophylactic season even if you convince those that it's important and we're running around like headless chickens stevia or any of is it I was just like receipt it's like what can happen sometimes in bigger organization is an org chart that looks like that where we get the fire but actually conveying the importance about fire through the organization it's kind of tough okay seems like we do pretty well and we're quite proud of that but I've seen other places too that trade for it might actually care we might just not be able to tell you why we can't tell you anything at this medication silent alarms things like that there are

certain things in there for example if your activity triggers one of you know an auntie notable anything wonderful and rinsing there's lots of legal issues that we're telling somebody that they've trigger down to money laundering process yeah similar when I worked in them sort of chat filtering for a while there's all sorts of things where the chat will be like go but it would be in for moderators taught to go and start to get into things though it may well be just because you've nice to pull something off it may be that some things that to be happened as planned in the background it's just not necessarily bullied to the user that just happened the rest of

these are kind of just things that happened sometimes in big organizations that I can't generally defend but it's the way organizations were sometimes was also decided fixing other things sometimes fixing the risk of so the cost of fixing it outweighs the risk of leaving it things get to you for the Commission's they're putting effort into since was about to be turned off it's very hard to convince people do that sometimes it's nobody's responsibility again I've worked places where this has happened that literally a team's written a thing that teams got this boundedness blow into twinkle is the company and the code is just sat there ephemeral and trying to get something something that nobody's ever touched before it's very

hard to do source code has been lost not a personal one whatever talk to people where that's happened literally to fix a small vulnerability would have required route rewriting the entire application because they no longer had the source for it last time it was modified it wouldn't reboot again people have told me of situations like that was just so flaky they have to leave it running and then touch it and surprise being reached there are whole list of reasons that we did the the information maybe start with a wreak triage and he can't really tell you why he can't tell you anything so try to get some attention a few quick summaries simple query reports that gets

the point we love simple reports we hate essays part of that POC old gtfo build relationships come and talk to us and let's put patches we actually love talking to hacker actually asked us for more info on things as you know we can't say giveaway company secrets book you know we may tell you that certain thing you're looking at is you know it's protected by something or other when maybe I'll tell you that it's you know actually Black Codes using this library so if you look if you're looking for a problem you know if you think you found a wife by passing out and say well actually we're just using that one over there don't look at that open-source

project if that's or towards you just a we can't get away come the secrets it's amazing what we can tell you patients we we're so you know we care what we're doing but it's still a job we're not doing this 24/7 365 I know some about people that seem to be doing it twenty four seven three six five some of the Twitter streams are follow you look at these ganyan so people in general you see sauce thirty-six hours of Twitter reports went on this is like where did you fight to eat sleep or bathe in the last 48 hours it just them we're not like I like to go home and see what my from son of any Union so that was a bit

first you what why don't we why don't we get these reserves question number two I'm about this a few times like the one Street we see a lot of bounty hunters I've never worked out an intership have never been developers of the other very very good at what they do but they've never been on our side of the fence where developers find a sense unseen that sometimes that code gets into production for sometimes bad reason sometimes good reasons so when people sort of say yeah dude this is obvious this is like simple XSS how on earth did this make you to production again tiny the earlier talk it's not excusing some of this stuff but it's kind of

explaining where it comes from sometimes the risk is worth it sometimes you know the the entire all the factors are going to get the an application life security is only one of those it's all risk based sometimes the risk of cross-site scripting is worth the risk of getting out there again another Katy Missouri example that I love is a disappearance you had over hacker that had found them database open creds and she wouldn't pay on it and the whole point was yes it was a database yes there was not north indication on it however it was a read on we database with public they own it sure it looks bad you know it's not something that

everyone Edward IRA ever hold of so this is called practice but realistically the impact from that was zero so sometimes the impact is so small that the business will make decisions just draw with it [Music] and latitude of next time do better without going back and worrying about last time we're all withholding we're all getting better at coding you'll suddenly realize that the right way to do things any of you have been down at develop if you know you get better all the time how often do you think actually I know I know understand you say the value of store procedures or something like that do you go back and look at the code you

wrote two years ago and ready for that yet you'd make sure you get it right next time and because of that because software doesn't tend to go away old stuff never gets fixed it never gets improved green fields are easy Broncos run right there if you're writing something from scratch it's really oh it's a lot easier to make sure you said it right if you're trying to build something on top of somebody else's truly app that doesn't really work that relies on a three-year-old version of Java right stops working doesn't use TLS if you're building something on top of that you may be stuck with their bad decisions in which case you're just gonna be partying a turd not all

software developers are equals and it may well be the bits of your company on parade the people that are doing you know development day and day out it may be that they've got this absolutely nailed and then suddenly you get something like a marketing team or something like that they can do a bit of HTML and suddenly they find out that their CMS allows you to do custom javascript in there and off they go and bypass all your s DLCs and all your best practice and suddenly you're paying out thousands in bounties for cross-site scripting a platform you didn't even know you got so so none of these are excusable but they do happen question

number three why does it the hell does it take so long to get paid again we're quite lucky where a typical we pay on triage we know in the industry paying on triage is rare I think I didn't up a triage it is brilliant and I wish more people did it or say like many things win not the the less an use case on this so why does it take salt get paid big company is notoriously slow to release money if you've ever worked at a small company that's trying to get money of a big company it takes forever this is not just a book but I think she's right big companies hold onto money as long as

possible just doesn't matter of course it's not they you know that desperately it's just the way business works however about platforms don't work up credit they want the money up front and you can probably already see why these two things don't work together predicting the rate you're fools will be really hard so you've got a slow drip feed of money over there and I'll that's a live feed of me being eaten over there so you could predict quite often a month or two in advance how fast one's gonna burn down which if your saw paying afraid of us hosting is easy because you've got a price list and if you'll pick up bug bounties you may pay sort of a couple of

hundred dollars over three weeks and then get hit for about eight grand in 48 hours so it's really really hard to some manage that flow to actually make sure that there's always money and when the reports of the winning pay off again what pay on fix what does it never gonna get fixed that must be a nightmare the fact if you're reporting stuff to a company and then they're looking out thinking well we could fix it for all the reasons I mentioned earlier they're not actually intending fixing that rabbits do not actually get paid on it I'm the apparent feared return of does record a level of trust and if you don't receive people taking part you put back

for a remnant problem so Laura radio today I talk of last weekend to do that I got else to do none of it because I spent most of the weekend teaching myself [ __ ] because I couldn't find a better image for to represent bling I have a picture of Macklemore at one point but I decided that yeah bling of Mark and I realized well in fact I can't actually think of anybody less blingy and more money or money re intake than mark book oh I brought like like dude doing that so how'd you max my buddy get paid

Oh smart doorbell some reason mad or at home yes well things to be distracted but not as they paid demonstrate risk no matter what ferret before we don't care about how clever your hack is we don't care about how long it took we do care about risk so come up with examples are actually demonstrate risk as an attacker as a techie you in the studio we all understand with JavaScript is right but you can pop it alert box we know that that alert box come there means you own the client you anything that's on the clients there but it doesn't really demonstrate the risk very much however if you actually demonstrated steal alone SSO tokens and then transform that

simple XSS into an account takeover because you've managed to log in as somebody else by doing it that's really easy a confidence to risk when you're a company that actually deals with credit cards all the time you can just you can show that for a simple exercise you can get somebody's credit card past that's real risk to demonstrate let's say remember that we don't care about the cleverness we do care about the risk but understand what matters to your target ties into that and you know not all companies care about the same cares of risk and reputation or compliant for a glycin theta3 same type of deal we all care about different things so understand who you're reporting to

understand what scares them well what are they absolutely terrified about are they terrified I have another data breach was they Ted what are they scared about having all that customers account rinse it may not actually affect what you get paid me most famous games are quite prescriptive but it might well get your fixed quicker and if it's a payoff fix scheme being paid quicker definite good things now finally think about code reuse if that vulnerability has made it onto that website that developers screwed or if that company haven't got a nice system to feed that knowledge backing that software on my site off come on so a bit later then that mistaken be key to keeping

made over and over again so if you found her I've really put in a certain area the site look to think where might that same have been doing that same thing and poke and it may well be that you're one gorilla you found over that you can find 200 of it over there and it seems structured right that's 200 tons of papers okay so the realistic you can't bribers you can try especially the sweet well doesn't generally work in fact you with coffee well we can actually help protects true for we can actually yeah we're not we're not battling with you we you know we want to find out those vulnerabilities if we can give you information isn't

gonna screwing the video of it to give you extra information without affecting the business will we do it number five it's not a new program why should I bother this is one that's come from my experience at there that I've now started still a lot of other people about our program was into and along with the longest time we I would be the time probably I've been coming three seconds not very good oh wow so as we move from an internal program we're the only people that could report vulnerabilities are people are actively work for us we've now started invited a few externals on it and the first few people that we invite the people I've

been knowing know for years been doing bank skimmers are making money oh and quite a few of those looked at the scheme spent so over two or three hours in gum now you didn't find very much and then we'll move on and go and find a different target at the moment I've seen a lot of that there's a lot of people that go up to you guys have done an okay job of moving up the low-hanging fruit it's actually not worth my time on me spending your time on your program I can go over that progra over there and just so you know who rob xs/s is for fallen yeah no matter where you get them from and so

we do get as I do because I why should I bother well there are a few reasons why you should bother company like ours hundred postcode deployments a day that's a hell of a changing landscape hundreds plus chances a day that somebody screwed since you know five thousand servers just one bit of our platform last time I can find data for and this is like by eighteen months ago they've got 1 million three hundred thousand lines of code that's a lot of scope people pick new things wrong quickness technology can move faster than security some like colleagues down there on the phones we have his we're in a company is encouraged to use cutting-edge tools we're sort of you

know always using the latest and greatest things which is fantastic the developers do it means that we can attract some amazing developers because they get too close and great stuff but it means that we somehow have to be ahead of them and whilst we're your step the very beginning I like old-fashioned except in with simple web servers on the rather than so ephemeral kubernetes clusters but if with tin with a simple VM on it maybe running PHP we've got an absolute boatload of tools that are partly out there partly STL see that we had invested over decades to make sure that trap code doesn't go out the door so the newer stuff that to link isn't as

mature where it's available at all sure we've got internal tools but it hasn't got all those years have been tested so it means that the scope for actually new and interesting vulnerabilities coming out is a lot wider so focus on the new stuff you know focus on get to a corner store again if one of the interesting things that some of these story seriously about is that they were doing us in a lot company they were looking at the Tech Talks we were doing to get an understanding for what tech we were using you know the fact that we were got out and talking about our use of things like Kafka and kubernetes and stuff I

was like ah right so you guys and it was giving them a heads up so I think go and dig in okay people we use the same tools you do think up Bob yeah coming about the low-hanging fruit thing if you're just going to hit it with a bunch of off-the-shelf tools you know what we've probably already got those building estelle SDLC already open up I'm nothing with them we've kind of screwed up unless what was in the room who's actually rinse quite it's quite a lot of people recently without a relatively office you're still well yeah it doesn't take a lot to actually raise yourself above that level of people's I just using automated tools and remember the

how the hell does this get introduction thing that did a few minutes ago those things do happen bad code makes it live don't assume that what I'm not trained dollar is egg is at every level somebody decided that was a good idea somebody's headed at the optimal way to make a door only not accidentally come on open during the trebles to lean out the window people make really tough decisions so time too bad right so anybody I think what this next section is going to be what I thought was obvious some takeaways gotta get at least one bad joke in there so back to Cookie Monster Elmo again start off with T Cookie Monster's some things for the

companies out there that are actually thinking of getting into this game because I put it in the abstract and really wished I hadn't when are you ready to start pen test scheme and again people I came as a us do this far better than me your readers do you give you an idea the people have come on downstairs they are great they will tell you how they can make your life easier they will give you some kinds about how you're ready however to me if you can't answer these questions with the right answer you've got better ways of finding those but really it's more cost-effective ways in the book fancy scheme fix those first and then go down and talk to them about

sign up to on their program so I'll good pen test enough finally next to me more and buy good pen tests I mean a skilled tester that you put inside your perimeter and give you an open scope exactly backing on you're probably safe if you're just going oh I'm secure because I want score for PC I left some sort of training key with necess just scan it and possibly message results then that's not a pen test do you have a good strong SLT with good code or in if you don't have a good strong eye so SDLC field software development cycle if you literally just shoveling code out the door without any real checks on it and

you're not doing code or it you will get more value at this stage of your maturity bits fixing that before messing around with balance games do you already have a good working impressive ability disclosure process if if you don't fix that first you should before you even think about book that means you should be able to simulate taking a report from a member of the public about vulnerability if they found on your site and swiftly and efficiently watch that go from this report through to that live fix code without it getting stuck in the middle if you can't demonstrate that you can do that you're not at the stage yet where this is going to really help you all

you're going to do is pay a load of money to find a load of information you can't actually handle can on that can you trigger it quickly enough one of the big problems a lot of people have talked to when the triage is is that when they start their scheme they open the floodgates and suddenly they've just got a huge stack of incoming problems that they can't actually manage you know there's a company one of the reasons that we stayed as an internal only scheme so the only people that could report to us or our own staff we did that to actually make sure that we'd got all the resources in in place to be able

to actually triage stuff quickly enough without just having a big you know month bit like the myth like the pile of bills coming in just a pile of little report similar can you fix quick enough if you can't fix this this data isn't that much usually I mean sure you can appreciate the risk if it battery if you've seen the vulnerabilities and rank them but realistically if none of this stuff's actually going to get fixed if you haven't got a good enough and development process that you're taking these reports and actually getting a fixed code for me okay it's just an expensive way to find out a little bit of risk data and do you have a process

ensures that all this data is fed back in your SDLC source saying my mistakes are made repeatedly very similar thing if you haven't got that if you're literally just collecting vulnerabilities are fixing them this is going to be a very very expensive way of doing pen tests and really spent us at that because they're completely open and we'll never get the things you want to eat you need to be able to make sure when you get those reports that you haven't just fixed that vulnerability you fix the problems in your process that led to that vulnerability getting alive on the website because I answered a bundle there oh yeah and can you achieve steady sustainable growth and put the brakes on

they needed one of the big things that are seating people are really struggle with schemes like this is when they've gone write about a big treasure Lord we have a book bounty even worse we have a public book bands a scheme and then suddenly the floodgates are open they're going million reports on this like oh we can't cook with this book however we just told the press we're doing it and we can't stop and we can't slow this down help we're drowning my advice and let's do what we did start small start internal only then grow and invite a few more so you can actually control that growth so the one problem do go wrong

with your process when when you can't keep up you can actually go to the people that you're working so IT guys we're screwed with the money this month it's going to be a month or two before you actually get you found the money because we are paper my man was right off oh yeah glad you raised that vulnerability but you're not gonna see that fixed for a while because we realized that the people are owned that code on aren't ours therefore we provision scoped it so you can fix all those sort of things early on before you let them the Massey's on your scheme final tips for tune Cookie Monster you understand sure you're ready hello and

you're sure that you have the resources and same things they don't think make sure bump-out issues push back in your SDLC pay on three hours as possible just that's nice time he'll fix is very nice and grow slowly and control whiter than wanna keep stopped or considering an internal Lord's first talks of hackers be as open as possible have a clear and concise payment structure and absolutely do that I mean one of the things we long from our launch is that we initially went with a a menu based payment structure and that just Bo basically xs/s $250 RCE thousand dollars that sort of thing and we find out that didn't actually work for that didn't really build risk

into it in any way and so we switched to a CVS a space system which whilst not perfect he's a lot better there you go have a system that is yours hacker to pay swiftly because nothing's more annoying the hacker actually thinks the roadman it isn't getting it I know after onto their emails make sure your triage azar technically proficient don't treat this as a customer service thing don't give it your tech desk it takes actual skill people to be able to understand triage and prioritize this properly I know these are hard to find we've had empty job roles on the team that the variables are on there for this for a while so if you think you do it

come talk to me ha if people are gonna look with floppy fluid thing was uneven I didn't even thought about that before and I could have done that for that rather than winging it make sure your program results in properly prioritize is by risk not just cost it's really really easy to fall in the trap of fixing the the most expensive books first if that isn't aligned with risk you're doing it wrong he should be fixing risky stuff first so some things for Team Elmo don't assume into your programs not a finding jab oops talk to you three ideas check those stats toxic to your own community and showing simple packing notes may not be

here next ruble you really about that yeah the book back forms a few of the places that actually talk to each other about programs find out out that what's worth being on what isn't if your workplace you've any talk to those about talk to your workplace about launching a scheme I appreciate a lot of bounty hunters on in bigger organizations but if you are see whether you already flight into a launch for your honest think it's because it's a really good way of kickstart in you know your career into a bug bounty hunting if you can start on an internal program common advice for bounty hunters everything I've read seems to be go deep however my

experience and to be fair a thing that I've just read from you the other day is actually it seems that the top people the people are making the money of this are going wide not deep these two chaps here am i proof of that as well the fact that they're they're a very wide range of firms rather than just rinsing a couple of them for everything they've got remember - oh yeah from that side being ready to learn which aliens have fun make money and grow those careers and show off of it cool and we'll hit that in time as well even always carved with me or anything I'm quite impressed did you I didn't say I've been too busy looking

at that to revive my cell phone looking at look at the audience so folks that was me that's a guided to a life of the book back triage yep any questions Jeff on that caveat a disclaimer on the front of that I'm the wrong side of the fence to answer that and said there are quite a few bounty hunters here who make me not useful hands up and sort of take composable I've started dabbling in that side partly as a nice little bit of an experiment myself cuz I'm yeah what I have kind of interested so I want to see how easy it was to get into there are lots of stories about getting over that

initial hump to get onto the private program as being quite hard that I've been I want to party see for myself hard day's I mean ultimately there are thousands of public programs out there go just see what you can find i it was disc wishing we Sean DC one five one on one of our local groups few months ago when I raise this and this isn't just the fun profit from programs be fun if stuff on public programs all the time so don't believe these nonsense that public programs have being rinsed to death there is still stuff on them if you're looking for ways to actually go a little bit of a leg up say talk to tree

artists book talk to us if you're by going on to a few schemes focus the other day hacker one CTF now actually also offers you invites to schemes because I realized people are being back to a scheme at work based on that rep alone so a few other ways into that but realistically give it a go in fact even better advice and boot party knows calm going to me inform them that go ask those guys keep going fairies very talented guys advice to be doing it rather than either just loves it anymore compasses another question but you see some problems comment and they disclose the end points for level so they found a success here so the report at war that

was a secure junctions here so go there report again very nama Rupa doesn't leak fixed yeah interesting idea and I mean I can see why that would work from the woman's point of view I'm going to my positive work and actually saying we're gonna disclose M point so we know we've gotten abilities are might not fly boy I picked up in town that's a joke problem is that it's a case of have you tell people not to waste time on something without having them over that process yeah almost to make the the concept of an NDA do protein got raised by some to read through the davises I don't know quite how I feel about that but it

certainly got me thinking and do wonder whether that's a future state departing hunting world likely to see sort of a step up from the the private program with you as an a private program with with NDA I think I'm not gonna like this am I so I suppose these people to walk around there right little Hughes Hannibal glad to see the common these are a conflict of interest between the devs writing the code and then off we announce the year and have you managed us I predict if I always predict that question the fact it's come with room deal with it no it's never like a sale please don't like a students because I have to have that slide oh he says give

any slide I absolutely have there's a point to go oops I had to have that slide on the end for that because everybody always asks me loud so it doesn't say rotten somebody that actually knows my thoughts on the tasks it yes it's a question gassed about a lot to me it's an absolute non-issue if you're hiring developers that would raise books and then report them for bounty you've got an HR problem you've got hiring from I'm not a technical bug bounty program and even if you go one stage further and sort of do the whole yeah well to people colluding you know person a raises and person B fixes we don't have a rule in our place that you

can't report issues with any code you've actually worked on so it would technically be possible to get to two people colluding book where you put collusion about conspiracy and where your conspiracy you've got an extra risk you're going to do that for a couple thousand dollars in bank payments probably not well yes I mean technically absolutely but it is always something everybody else anymore for anymore yes the some of the logic behind why people prefer why companies prefer to pay on fix is that there is an incentive for the hacker to keep that knowledge private until they've been paid however if you'll allowing people on the scene that that on your schema the only thing

that's stopping them disclosing that vulnerability is the promise of money again you're probably attracting the wrong package I mean I can I get technically why you'd do it but it seems lost but yeah exactly that literally the case that it's a it's a contract and you know they did they think oh they're going to keep Marshall for fuel adores it yes that's why so cool you get a second let me go for it yeah this one fire you read a lot of time you suppose that you realized this horribly bro so you say that a lot of time is that really not eating all you're trying to do so my good news like I slowly bro you need service basically

like an ad won't put that across to them in a way that doesn't scare backs that's a great question and my only experience art is on the other side of the fence because obviously I've been looking after work somewhere where we haven't got that problem where we have got teams that trained deal with that but yes I'd report myself in exactly that situation that because I'm technical because I can explain that technical and what's wrong with the site and you realize it's just some guy that's throwing up a wordpress blog that as forward some tutorial from eight years ago and so they're just if this doesn't work mob seven seven seven everything no it works you know it's a

yeah it's a top and I haven't got a good answer for that and if anybody has let me know I mean I like to think I'm good at that part of my job is explaining technical security concepts to not say non-technical but sudden long security people so doing stuff down to a level of people were these kind of what I do but yeah it is toughened I don't know if I've ever had the tree I suppose to give you an answer on that oh well absolute beginning don't focus on the technical vulnerability focus on the risk focus on what the actual and consequence of that vulnerability could be rather than hey you know you screwed

your positions over or whatever there's a deep there's not always a lot they go punt Kamil off it's not question issues that other suggestions that go on you just be say about recession information really else so if you could possibly remember this is the problem this is how to reproduce it CGS is fixed and I thought use the suggestion what they do still there are internal schemes up pays a dividend because internally people have got access to the source and they actually understand the estate profit are things out there that is a massive win when you look down that thing yeah I get that so he says by the way this system over here what you've done and screw this

thing up it's like great I can throw that at the dev team they're gonna look at validating yep you're right that fix is gonna work how about the door really quickly whereas sometimes if we go there's a thing over that it's wrong allocating on don't know why it's doing that worked all right when it was on a dead box must be kubernetes problem so but yeah that's what clues to remediation coming a big big big help cool also sneaked in how messed up he wasn't here earlier when I was talking about the money was he cool right no more questions thank you very much for for that